http://www.electronista.com/articles/11/06/28/symantec.says.android.slipping.vs.ios.on.security/
This might be it. It's interesting but doesn't compel me or mitigate my concerns. It's not just security/malware. It's privacy. The idea that Facebook could read my texts is unnerving to say the least...same for the other apps out there which are bundled with the phone (a la Blockbuster and at least one game of which I know).
That's it. Good golly... You can read it and get your answer or you can go on wondering and posting. I'm in a good mood today so from the article:
Isolation (Sandboxing)
The iOS operating system isolates each app from every other app on the systemapps arent allowed to view or modify each others data, logic, etc. One app cant even find out if another app is present on the device. Nor can apps access the iOS operating system kernelthey cant install privileged drivers on the device or otherwise obtain root-level (administrator) access to the device. This inherent design choice ensures a high degree of separation between apps, and between each app and the operating system.
The isolation approach implemented by iOS completely prevents each app from accessing other apps datathis policy is enforced regardless of whether apps encrypt their data or not, so long as the device has not been jail-broken. Moreover, beyond the library of media files, the calendar, and the contact database which are all acces-sible to any app, iOS has no centralized repository of shared data that might pose a serious compromise risk.
--And here's the evaluation of Android:
How effective is Androids isolation system?
Since Android isolates each app from every other app on the system, from most of the devices services, and from the operating system itself, this means that if an attacker compromises a legitimate app, they will not be able to attack other apps or the Android operating system itself. This is a positive of Androids isolation model.
Lets consider Androids Web browser. Web browsers are by far the most targeted class of legitimate application, since attackers know that Web browsers often have security flaws that can easily be exploited by a properly crafted malicious Web page. Imagine that an attacker posted a malicious Web page that attacked a known flaw of Androids Web browser. If an unsuspecting user surfed to this Web page, the attack could inject itself into theAndroid browser and begin running. Once running in the Web browsers process, would this attack pose a threat? Yes and no.
First, Androids isolation policy would ensure that the attack could not spread beyond the browser to other apps on the system or to the operating system kernel itself. However, such an attack could access any parts of the system that the Web browser app had been granted permission to access. For example, if the Web browser had permission to save or modify data on the users SD storage card (for example, to save downloads on the card), then the attacker could take advantage of this permission to corrupt data on the SD storage card. Therefore, an attacker effectively gains the same control over the device as the app they manage to attack, with varying implications depending on the set of permissions requested by the compromised app.
Moreover, malicious code within the attacked process can also steal any data that flows through the process itself. In the case of a Web browser, the attack could easily obtain login names, passwords, credit card numbers,CCV security codes, account numbers, browsing history, bookmarks, etc. Since mobile users often access internal enterprise applications via their mobile Web browser, this could lead to leakage of highly sensitive enterprisedata, even if VPN or SSL encryption are employed. And such a malicious agent in the browser could also initiate malicious transactions on behalf of the user, without their consent.
